Meta

Seized Megaupload Domains Link to Scam Ads and Malware

Well over three years have passed since Megaupload was shutdown, but there is still little progress in the criminal proceedings against the operation.

The United States hopes that New Zealand will extradite Kim Dotcom and his colleagues, but the hearings have been delayed several times already.

Meanwhile, several domain names including the popular Megaupload.com and Megavideo.com remain under the control of the U.S. Government. At least, that should be the case. In reality, however, they’re now being exploited by ‘cyber criminals.’

Instead of a banner announcing that the domains names have been seized as part of a criminal investigation they now direct people to a Zero-Click adverting feed. This feed often links to malware installers and other malicious ads.

One of the many malicious “ads” the Megaupload and Megavideo domain names are serving links to a fake BBC article, suggesting people can get an iPhone 6 for only £1.

And here is another example of a malicious ad prompting visitors to update their browser.

The question that immediately comes to mind is this: How can it be that the Department of Justice is allowing the domains to be used for such nefarious purposes?

Looking at the Whois records everything seems to be in order. The domain name still lists Megaupload Limited as registrant, which is as it was before. Nothing out of the ordinary.

The nameserver PLEASEDROPTHISHOST15525.CIRFU.BIZ, on the other hand, triggers several alarm bells.

CIRFU refers to the FBI’s Cyber Initiative and Resource Fusion Unit, a specialized tech team tasked with handling online crime and scams. The unit used the CIRFU.NET domain name as nameserver for various seized domains, including the Mega ones.

Interestingly, the CIRFU.NET domain now lists “Syndk8 Media Limited” as registrant, which doesn’t appear to have any connections with the FBI. Similarly, CIRFU.BIZ is not an official CIRFU domain either and points to a server in the Netherlands hosted by LeaseWeb.

It appears that the domain which the Department of Justice (DoJ) used as nameserver is no longer in control of the Government. Perhaps it expired, or was taken over via other means.